Urgent- Login disabled for NAC Agent

Similar Messages

• Urgent :Authentication fails for Policy Agent on weblogic 8 SP3

  Hi
  I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
  09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
  09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
  09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmLoginModule.abort()
  09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmLoginModule.authenticate() Initialized callback handler for Subject:
  09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmLoginModule.login()
  09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmLoginModule.login() : User name from Callback amAdmin
  09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  WARNING: SSOTokenValidator failed with exception
  [AgentException Stack]
  com.sun.identity.agents.arch.AgentException: Invalid transport string version
  at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
  at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
  at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
  at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
  at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
  at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
  at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
  at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
  at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
  at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
  at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
  at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
  at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
  09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
  09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmLoginModule.abort()

  Hi,
  I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
  I suggest you try it out and start the bea server as a service and see if it works - if not try again.
  I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
  Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
  hth,
  Sean

• NAC Agent only prompts for username and login on wireless

  Another question for the smart people of the world.
  I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
  Any thoughts?
  Thanks

  Hi Jonathan,
  The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS.  Have you checked if these ports are allowed through to the CAS for the wired clients?  Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
  Do let me know if this helps.
  Regards,
  Som

• SQL Server Agent job between 2 instances fails with Error 18456 - Login Failed for user

  Hi,
  SQL Server version: 2012 EE
  OS: Windows 2008 R2 Enterprise
  In my server, i have 2 instances, and I am trying to configure a SQL Server Agent job to query one table in Instance A, and insert some modified data in Instance B, both in the same server.
  When i execute the job in instance A, i get the following error:
  Executed as user: NT SERVICE\SQLSERVERAGENT. Login Failed for user "NT SERVICE\SQLSERVERAGENT". [SQLSTATE 28000] (Error 18456). The step failed.
  I have already configure instance A as Master and disabled encryption, by changing the parameter MsxEncryptChannelOptions to 0 in regedit. I've also made my target instance (instance B) as a Target.
  What am i missing?
  Thanks for your attention and pacience

  Hello,
  The NT SERVICE\SQLSERVERAGENT (virtual) account is not available on the other as you just mentioned. That is the reason for the login
  failed error. Try using a Windows login as the
  SQL Server Agent service account in both servers, the same Windows login (not a virtual account), and run jobs as the “sa” account.
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  You can also try a proxy account.
  http://technet.microsoft.com/en-US/library/ms190698(v=SQL.105).aspx
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• ISE redirect to install NAC Agent for Anyconnect users with Split Tunnel?

  Due to management directive I am not able to disable SPLIT TUNNEL for our VPN users. For this reason, I can not figure out how to enforce the REDIRECT to ISE for forcing the VPN users to install the NAC AGENT.
  Is this possible? If so can we get some documentation on how this is done? Screenshots would be great.
  Thanks,
  Dirk

  I couldn't find the answer that I seek in that doc.
  I am trying to see if I can force traffic to the redirect for installing the NAC agent, even on split tunnel traffic....perhaps forcing the first webpage the user opens forces the user to the redirect page if the NAC agent isn't detected.
  Thanks,
  Dirk

• Run NAC agent before user login - Win7?

  Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
  I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login.  This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied.  I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing.  Any thoughts or ideas on this?  I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login.  I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference.  Thanks for any advice!!
  IA

  Thanks for the reply Saurav, I should have clarified a design point.  I am not doing any user authentication, only doing a machine authen.  As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
  IA

• NAC AGENT WEB Your Login session Failed { status = 5 }

  Hi,
  I have a problem with NAC agent web, did someone seen this error before ?
  Your Login session Failed  { status = 5 }
  I tested all these following , and all are Ok :
  • Test using another browser, Firefox for example
  • Test using another operating syste
  • Check if there any restrictions between the user vlan and nac vlans
  Thnx

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• My itunes account was disabled for some reason.  I changed password in iforgot and still didn't work.  I could log in but not make purchases from the store so I set up a new login/account .  Is there any way to move my music to the new account?

  My itunes account was disabled for some reason.  I changed password in iforgot and still didn't work.  I could log in and see my music but not make purchases from the store or even redeem an itunes gift card so I set up a new login/account with another email account of mine. On the new account I can redeem my gift card and download items onto my ipad2.  Is there any way to move my music to the new account?

  Launch the Console application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
  Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left. If you don't see that menu, select
  View ▹ Show Log List
  from the menu bar.
  Click the Clear Display icon in the toolbar. Then try the action that you're having trouble with again. Select any messages that appear in the Console window. Copy them to the Clipboard by pressing the key combination command-C. Paste into a reply to this message (command-V).
  When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
  Please do not indiscriminately dump thousands of lines from the log into this discussion.
  Important: Some private information, such as your name, may appear in the log. Anonymize before posting.

• Determining which NAC Agent to use for ISE

  We are planning an upgrade to our ISE environment from 1.1.4 to 1.2. I have downloaded the agent that is recommended for 1.2 (NAC Agent 4.9.4.3) to begin testing with it. Unfortunately the first test I run is using that client against our ISE 1.1.4 servers. It doesn't work! It runs sporadically at best, taking up to 3 minutes to pop up and posture the system. Other times, I give up, after 20 minutes of waiting, and it never runs. This is quite a spot, I do not want to upgrade the ISE system to 1.2, then run into an issue and have to mass upgrade over 2000 clients all at once to get them running. My hope was to upgrade to the NAC Agent prior to the ISE upgrade but unfortunately that has been short circuited.
  So my question is, has anyone run ISE 1.2 with NAC Agent 4.9.1.6? That is what we are currently using, as it runs well against both ISE 1.1.4, and NAC 4.9.1 (which is still used for our wired environment). We need to find an agent we can use to bridge us from the time we upgrade ISE to 1.2, and the time we bring our wired environment into the ISE fold and remove NAC appliance. I should note, ironically, that 4.9.4.3 NAC Agent runs flawlessly against the NAC 4.9.1 appliance. The issue is running that NAC Agent against ISE 1.1.4. That is ecactly the opposite of what I would have guessed! Please help!
  Jeff

  Yes sir, I am aware of that recommendation, however once I downloaded and started testing several clients with that version, none of them run well, if at all, against 1.1.4 which is the current production version we run in our environment. So I would have to either upgrade all 2000 clients immediately after we upgrade or ISE system to 1.2, or take a chance that our current agent (4.9.1.6) will run against ISE 1.2. I was hoping to find a recommendation of an agent version that runs well against both ISE 1.1.4 and ISE 1.2 so we could upgrade the clients at a controlled rate prior to upgrading ISE to 1.2

• NAC Agent Login Trouble

  I'm a student at Georgia Southern University.  I use a Lenovo X200 Tablet with Windows 7 Ultimate 32-bit.  Up until last week I had no trouble with NAC agent logging into my university's network.  Since last monday or so, when I log in it says I have to update current windows, but Windows is totally up to date, including optional updates, everything but language packs.
  I've tried system restore, I've tried fixing registry issues, I've scanned for viruses, Re-updated windows, and reinstalled NAC agent.  Nothing seems to work, it just won't recognize I'm up to date.  I took it to my IT department (resnet), and they didn't help at all.
  Any ideas on how to fix this?

  Jonas,
  Sorry for the late reply. Can you ask your university IT folks, as to what the failure report shows for your PC in their CCA reports section? The key thing to look for is whether it's a particular update that CCA is hanging up on or not.
  Please advise.
  Thanks,
  Faisal

• NAC Agent for Windows 7

  Any ideas on when the NAC agent will be support on Windows 7? Version 4.6.2.113 installs but doesn't work properly. Thanks

  In the event logs are you seeing any failed authentications? Also can you enable trace on all the logging categories and download a log bundle.
  Look for the nac_manager.log file that has the timestamp of the user authentication. See if there are any issues with the OOB communication...along with ldap.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Anybody know the Roadmap for combining NAC Agent and Cisco AnyConnect?

  Heard a rumor that Cisco is going to combine the functionality of the NAC Agent and Cisco AnyConnect as far as being an 802.1x supplicant, does anyone have any information about this?  Like is it true and if so, any idea when it will happen?

  Hi ,
  There is no comitted plan for NAC and Anyconnect  integration. But Anyconnect now comes with a module called NAM ( network access module) which can do dot1x as well.
  Here is the link for that :
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  Thanks
  Waris

• Disabling the previous agent info on the login screen

  We are using IPCC enterprise 8.03 with CTIOS and offer multiple shifts in our call center. Due to security reasons, we would like to disable the last agent logged in info from the IPCC agent desktop. Currently when an agent launches IPCC desktop, it displays the agent id and extension of the last agent who was logged in; we would like to set it where last agent's information is not automatically pre-populated.
  Thanks for your help..

  we use the below bat file for lauching CAD to remove existing agent data.
  @echo off
  setlocal
  REM # This script re-writes the .ini file for CAD to clean up old usernames.
  REM # It restors a copy of the .ini file over the current version, and
  REM # substitues the username field with the current user and removes
  REM # (blanks) any existing phone extension.
  set INI_LOCATION="C:\Program Files\Cisco\Desktop\config\PhoneDev.cfg"
  REM set INI_LOCATION=PhoneDev.ini
  REM ### Original File: ###
  REM [PhoneDevice]
  REM Appearance0=6752
  REM [AgentID]
  REM AgentID=test
  REM [AgentMobilePhone]
  REM RemoteAgent=0
  REM Number=
  REM AgentWorkMode=0
  REM ######## END of Original #####
  C:
  REM ## Build new file from scratch
  echo [PhoneDevice] > %INI_LOCATION%
  echo Appearance0= >> %INI_LOCATION%
  echo [AgentID] >> %INI_LOCATION%
  echo AgentID=%USERNAME% >> %INI_LOCATION%
  echo [AgentMobilePhone] >> %INI_LOCATION%
  echo RemoteAgent=0 >> %INI_LOCATION%
  echo Number= >> %INI_LOCATION%
  echo AgentWorkMode=0 >> %INI_LOCATION%
  REM # END
  cd "C:\Program Files\Cisco\Desktop\bin"
  start agent.exe
  exit

• My 5-minute-old AppleId account was disabled immediately for security reasons. I have followed instructions carefully and although I seem to be able to change my password, I cannot login using the new password bcs account disabled for security reasons!

  It is probably something to do with the fact that I am in the Philippines, but what am I supposed to do? According to the support options I have to pay to open a support ticket. My account was not verified when it was disabled and I think I might be in some sort of deadlock in which the password reset won't work because I'm not verified, and the verification won't work because I can't log in.
  I've never bought a single Apple product before and this has got to be the worst intro I could have imagined!

  Solved.
  After about an hour on the phone with US support (who were very helpful I must say) it turns out that if you do not have an iTunes account with credit card information and a billing address, you are very much more likely to get your AppleId account disabled "for security reasons". This begs the question of course as to whose security we are talking about here! But there you go. If you are an Apple first-timer, get an iTunes account, fill in all your details, and you should be alright.
  Thanks for everyone's suggestions.